Archive for April 30, 2015

WordPress patches Stored XSS bug, Many versions affected

(PC- google images)
WordPress has issued a critical security update - WordPress Security Release 4.2.1, announced in an advisory by consultant Gary Pendergast, after millions of websites were at risk of a bug that allows attackers to take control of a system.

Pendergast read, “A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability which could enable commenter to compromise a site”. He added, "This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. [It] has begun to roll out as an automatic background update, for sites that support those."

Discovered by Jouko Pynnönen of Finnish security company Klikki ; the critical, unpatched zero-day vulnerability, affecting WordPress’ comment mechanisms, is a stored cross-scripting (XSS) bug that allows a hacker to take over an entire website running the WordPress platform.

In a blog post, Klikki explained that if triggered by a logged-in administrator, under default settings, the attacker can leverage the vulnerability to execute arbitrary code on the server via the plug-in and theme editors. Alternately the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

The vulnerability is exploited by injecting JavaScript in the WordPress comment section, and then adding 64Kb of the text.

"If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64kilobytes, so the comment has to be long”, Pynnönen said.

 "The truncation results in malformed HTML generated on the page.The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core”, added he. 

WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest version 4.2 are affected.

Similar to the one reported by Cedric Van Bockhaven in 2014, the only difference in this version is the use of excessively long comment for the same effect.  In both the cases, the injected JavaScript can’t be triggered in the administrative Dashboard so these exploits require getting around comment moderation e.g. by posting one harmless comment first.

Fake adult site infecting your phone with SMS Trojan

People at Zscalar Research have found out that, a chinese porn site has been masquerading, and in reality is making your phone infected with malware.

When you visit the page, and try to play a video, the website asks you to download a piece of software to view the video, which in reality is a trojan.

The trojan installs itself in your phone and becomes a Broadcast Receiver, and intercepts all the SMS communications that happen on your phone. This is used by hackers to do fraudulent transactions on affected phones.

The payload filename is dynamically generated by the website so as no blacklisting of the malicious malware can be done.

Fake adulte site infecting your phone with SMS Trojan

People at Zscalar Research have found out that, a chinese porn site has been masquerading, and in reality is making your phone infected with malware.

When you visit the page, and try to play a video, the website asks you to download a piece of software to view the video, which in reality is a trojan.

The trojan installs itself in your phone and becomes a Broadcast Receiver, and intercepts all the SMS communications that happen on your phone. This is used by hackers to do fraudulent transactions on affected phones.

The payload filename is dynamically generated by the website so as no blacklisting of the malicious malware can be done.

Couple has important message for other parents

Recently, a couple in Washington gave out an important message to other parents, after they had discovered their baby monitor had been hacked.

A couple in Minnesota, whose baby monitor had also been hacked earlier, had also been in the the news before.

“ We don’t know if they could hear but we know that they were watching, for sure,” said a parent.

The couple had been using the monitor for keeping an eye on their three-year old, who complained that somebody had been talking to him over the monitor at night.

Upon investigation they found out that their baby monitor had been hacked and was being controlled by hackers.

“It got me worried that they’ve seen things maybe they shouldn’t see that are private, our privacy’s been hacked,” said the parent.

Couple has important message for other parents

Recently, a couple in Washington gave out an important message to other parents, after they had discovered their baby monitor had been hacked.

A couple in Minnesota, whose baby monitor had also been hacked earlier, had also been in the the news before.

“ We don’t know if they could hear but we know that they were watching, for sure,” said a parent.

The couple had been using the monitor for keeping an eye on their three-year old, who complained that somebody had been talking to him over the monitor at night.

Upon investigation they found out that their baby monitor had been hacked and was being controlled by hackers.

“It got me worried that they’ve seen things maybe they shouldn’t see that are private, our privacy’s been hacked,” said the parent.